ASP.NET expert Stephen Walther discusses how you can extend the ASP.NET runtime. In this article, you learn how to implement an HTTP module in order to create a custom XML authentication and authorization system.

From the author of

From the author of

The ASP.NET Framework was designed to be modular. For example, if you
don't like the way that Microsoft implemented Session state, caching or
authentication, then you can simply replace any of Microsoft's modules with
one of your own. This article discusses how you can build your own HTTP modules
by walking you through the process of creating an XML authentication and
authorization module.

Understanding HTTP Modules

An HTTP module is a class that contains code that executes whenever
someone makes a request for a page in your ASP.NET application. Because a module
executes each and every time someone makes a request for a page, modules are
perfect for implementing functionality such as caching, authentication, and
state management.

In the old, ugly, messy days before ASP.NET, the only way to implement the
functionality of a module was to create something called an ISAPI filter.
Creating an ISAPI filter required significant work. Fortunately, creating an
HTTP module requires very little work because you can take advantage of the same
programming skills used when building normal ASP.NET pages.

The ASP.NET Framework, by default, makes use of the following modules:

The FileAuthorization moduleUsed for implementing file
authorization by using Windows file system ACLs

All of these modules are called whenever you make a request for a page in an
ASP.NET application. For example, the Session module handles the details of
storing and retrieving items from Session state between page requests.

These standard modules are listed in the Machine.Config file located in the
following folder:

\WINNT\Microsoft.NET\Framework\[version]\CONFIG

You can find the modules listed in the <httpModules> section
of the Machine.Config file. For example, the Machine.Config section on my server
looks like this:

You'll notice that the name and the class responsible for implementing
each module are listed. For example, the Session Module is implemented by the
System.Web.SessionState.SessionStateModule class.

If you want to modify the way that Session state is implemented in the
ASP.NET Framework, you can replace the Session module with your own custom
Session module. Simply modify the listing in the <httpModules>
section so that it points to your custom class.

Furthermore, if you want to add your own modules to the ASP.NET Framework,
then you simply need to list a new module in the <httpModules>
section. You can modify the Machine.Config file when you want to use the new
module with all applications located on your Web server. Alternatively, if you
want to use the new module with a particular application, you can add a
Web.Config file to the root directory of that application.